from the targeted-app dept

The season of Christmas is upon us. You can feel it everywhere, from the holiday decorations, to the television specials, to the waning interest in workplace productivity. Oh, yeah, and Target is back in the news for losing people's personal information again.

Hackers can access your personal information from Target -- again -- thanks to a flaw in the retailer's mobile app. In a blog post Tuesday, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers' addresses, phone numbers and other personal information from wish lists created with the Target app. The only merry tidings are that credit card numbers don't appear to be stored with the wish lists, so financial information isn't vulnerable.

This of course reminds shoppers everywhere of that time Target was the victim of a hack that resulted in the exposure of millions of customers' credit card information. That breach was so bad, and the news of it so well circulated, that Target set up a website page dedicated to telling customers all about it, assuring them not only that they wouldn't be responsible for any charges on those credit cards, but also assuring customers that the company was, like, super dedicated to security moving forward.

We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan.

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.

So much for all that dedication to security. Merry Christmas, Target shoppers!

from the um,-we-actually-offer-no-encryption-services-of-our-own.-sorry. dept

Scores of big brands – from AT&T and Yahoo! to Netflix, GoPro and Macy's – are being sued because their HTTPS websites allegedly infringe an encryption patent.

It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems."

CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent – so it's suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic.

CryptoPeak, of course, offers no cryptography products. It does, however, manage a portfolio of 66 lawsuits, all filed in the Texas Eastern District Court, beginning roughly 60 days after it acquired the patent. Among the illustrious names listed as defendants are PNC Financial Services, VUDU, Netflix, State Farm, Allstate, Petco, GoPro, Mary Kay, Target, Groupon, Williams-Sonoma, Etsy, Priceline… well, the list goes on and on and on.

All of these companies produce goods and services. CryptoPeak does not. The only thing it produces are lawsuits. The patent it's using in its litigation doesn't appear to actually cover the allegedly infringing activity it's suing over.

Perhaps crucially, [the patent] describes a means for "generating public keys" and "publishing public keys", and it's certainly true that ECC does involve generating public keys and using them.

But the patent is focused on "a key recovery agent to recover the user's private key or information encrypted under said user's corresponding public key" – which is really not the point of ECC.

Netflix, which has already moved to dismiss the suit against it, doesn't concern itself too much with the patent's supposed function. Instead, it argues the patent (along with the numerous lawsuits) should be invalidated/tossed because of other wording used in the patent paperwork itself.

The invalidity of the claims asserted here is cut and dry. The Asserted Claims recite “a method and apparatus.” Thus, a practitioner cannot know the scope of the Asserted Claims from reading them because they explicitly claim “separate statutory classes of invention,” an act expressly forbidden by the law. For this reason alone, these claims are invalid on their face, and the Court should declare so at this stage.

Netflix then points out the "method and apparatus" wording appears in multiple claims.

All of which should serve to kill the lawsuit and, possibly the patent, no matter how much the troll protests.

The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the Court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims. CryptoPeak has done just that in its Amended Complaint, alleging that “[n]othwithstanding that [the claims] generically recite the existence of ‘apparatus’ in their preambles, each of the . . . Asserted Claims is a method claim . . . .” (Dkt. No. 21 at 4 (emphasis added).)

This request is improper and should be rejected. The Court must read the claims as written, “not as the patentees wish they [ ] were written.”

Seems like a solid argument, but CryptoPeak didn't file in this particular court just because it coincidentally happened to have rented a mailbox and an empty office in Longview, Texas shortly before filing the lawsuits. It filed in this court because magical things often happen for patent trolls -- wholly unrelated to the validity of their claims and their affected Texan accents. If this wasn't the case, then this particular district wouldn't be the IP shitmagnet that it is. If CryptoPeak can nail down a few settlements and licensing agreements, it makes the hassle and expense of serial filing worthwhile. And isn't that why our patent system was implemented in the first place?

from the windsocks dept

Update: We've just noticed that we originally named Walmart in this story when it should be Kmart. We've removed the instances of Walmart and deeply regret the error. Also, it should be noted that Kmart Australia and Target Australia are divisions of Wesfarmers Limited and not related to the US corporations with similar names.

As you may have heard if you follow gaming news, the next-gen console version of Grand Theft Auto 5 release in Australia hit a bit of snag this past week. Now, let's start this off by noting that it was only recently that the government of Australia finally agreed to treat its citizens like adults and allow the kind of video games we enjoy in the States to even be sold in the land down under. It came along with a strict ratings system, of course, but at least these games were finally available for purchase. It was a victory for speech and art.

It's a game that encourages players to murder women for entertainment. The incentive is to commit sexual violence against women, then abuse or kill them to proceed or get 'health' points.

As anyone who has played the game, as I have, can tell you, this is only half true. Or, actually, perhaps less than half, because all the same violence, sexual misanthropy, and cruelty applies at least to the men in the game as well, and I'm pretty sure I remember smacking around some wildlife during my foray into the game as well. The point of GTA5 isn't to demean women; it's to demean everyone and everything. The whole thing is a farce for violence and cruelty. That's its very point. But, to understand the plea of the petition, you have to understand who is issuing it.

We have firsthand experience of this kind of sexual violence. It haunts us, and we've been trying to rebuild our lives ever since. Just knowing that women are being portrayed as deserving to be sexually used by men and potentially murdered for sport and pleasure – to see this violence that we lived through turned into a form of entertainments is sickening and causes us great pain and harm.

Let's be clear about two things. The first is that any real life abuse of women, sexual or otherwise, is a horrific thing and should not be tolerated in any fashion anywhere. It's horrible and it breaks my heart knowing that survivors of such abuse must slog through life on a daily basis overcoming the abuse every step of the way. The second thing we must be absolutely clear on is that for anyone that values free speech, be it government or a corporate entity, the fact that these women issuing their petition are abuse survivors doesn't matter even a little bit. Free speech and artistic expression don't simply get to be limited just because some people may be emotionally hurt by it.

"We've been speaking to many customers over recent days about the game, and there is a significant level of concern about the game's content," [Target's GM of Corporate Affairs] Mr Cooper said. "We've also had customer feedback in support of us selling the game, and we respect their perspective on the issue. However, we feel the decision to stop selling GTA5 is in line with the majority view of our customers."

then they must also explain why this decision over a forever-controversial gaming franchise is only coming upon the re-release of the game, which originally came out a year ago, and how they can also take the following stance.

Mr Cooper said Target would continue to sell other R-rated DVDs and games.

"While these products often contain imagery that some customers find offensive, in the vast majority of cases, we believe they are appropriate products for us to sell to adult customers.

Because the first quote from Mr. Cooper obviates his company's need to take such a stance. All he and Target must do, to remain consistent, is constantly follow the demands of whichever group is shouting the loudest. Because, given that we're talking about one of the best-selling videogames in the history of the medium, that line about Target listening to the majority of consumers is a big bucket of bullshit. And, of course, Target and Kmart will happily sell the game elsewhere in the world, and make gobs of money off of it, while the petitioners updated their petition with "Thank you Target/Kmart" posts.

from the urls-we-dig-up dept

If you've been reading Techdirt for a while, you probably know that we're not big fans of this myth: "If you're not paying for the product, you are the product." Regardless of whether or not you pay for something, some companies will still treat their customers horribly. Likewise, there are also some corporations that try to treat customers (or users) with respect without expectation of payment for the favor. That said, it's easy to make mistakes that get mis-interpreted when it comes to analyzing consumer behavior. An unintentional email message to a targeted (or even un-targeted) group of customers can enrage a whole community. Consumer data is available to a lot of companies, but it might be wise for these companies to tread lightly with their data scientists. Here are just a few cases that data miners might want to check out.

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

Right now, the law does not include those four words. Why is that a big change? As we explained last year:

All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.

While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.

from the stupidity-in-action dept

As you may have heard, Beyonce took much of the music world by surprise by launching her new album on iTunes only with no buildup. It was an incredibly successful promotion, garnering a ton of sales, and showing that she recognizes that digital is where the music world is these days. However, in a show of pure spite and jealousy, retailer Target responded by saying that it won't sell her physical CD once it comes out, because they don't want to encourage this sort of "going digital" behavior:

"At Target we focus on offering our guests a wide assortment of physical CDs, and when a new album is available digitally before it is available physically, it impacts demand and sales projections," Target spokesperson Erica Julkowski tells Billboard.

She continues, "While there are many aspects that contribute to our approach and we have appreciated partnering with Beyonce in the past, we are primarily focused on offering CDs that will be available in a physical format at the same time as all other formats. At this time, Target will not be carrying Beyonce's new self-titled album 'Beyonce.'"

This reminds me of the petulant and childish response of movie theaters when filmmakers started trying to release films online at the same time they were in the theaters. Like in that situation, these "brick and mortar" guys are fighting back against the tide, looking out of touch and childish at the same time. I would imagine that the basic reaction to Target's decision is to shrug. It's likely that people care a lot more about Beyonce than they do about Target, and if Target wants to send them elsewhere to get the music they want, those people just won't shop at Target. I'm not sure how Target wins in that situation.

Where this gets even more bizarre is that, generally speaking, CDs and such are low margin, or even loss leaders, for retailers like Target. They don't make their profit there, but rather use the CDs to bring people in to sell them much higher margin goods. Yet, in this case, they won't even get that benefit, all because they think they can prevent the natural tide of the move to digital? Oh, and looking childish and petty in the process. Who at Target thought that was a good idea?

from the urls-we-dig-up dept

Lots of advertisers are turning to data mining techniques to try to squeeze more value out of their budgets. Given all the data that gets collected by our phones/browsers/credit cards/etc, it's not too surprising that ads can get pretty creepy, pretty fast. Here are just a few stories about ads that aren't technically doing anything wrong -- but that haven't quite gotten their privacy behavior right either.

from the from-creepy-to-useful dept

A few years back we talked about how the concept of the "uncanny valley" could be applied to targeted advertising. Of course, the general concept of the uncanny valley is usually discussed in the field of robotics. It's the notion that people are comfortable with robots that clearly look like robots, but at a point where they become too similar to humans, but not actually human-like, people feel rather uncomfortable. However, if a robot appears fully human, then people go back to being comfortable with them -- even to the point of identifying with them and feeling empathy for them. The problem is the area where they're "too human" but just different enough to just... feel "off" that somehow makes it "creepy." As we noted the same thing really was kind of true for targeted advertising. As advertising gets more "targeted" it seems to creep people out, because they feel like they're being spied on.

A perfect example of that is seen in this recent NYTimes Magazine piece, talking about the details of how Target mines its purchasing data to figure out who's pregnant and when they're due. And it's not because they're buying diapers or something like that:

The only problem is that identifying pregnant customers is harder than it sounds. Target has a baby-shower registry, and Pole started there, observing how shopping habits changed as a woman approached her due date, which women on the registry had willingly disclosed. He ran test after test, analyzing the data, and before long some useful patterns emerged. Lotions, for example. Lots of people buy lotion, but one of Pole's colleagues noticed that women on the baby registry were buying larger quantities of unscented lotion around the beginning of their second trimester. Another analyst noted that sometime in the first 20 weeks, pregnant women loaded up on supplements like calcium, magnesium and zinc. Many shoppers purchase soap and cotton balls, but when someone suddenly starts buying lots of scent-free soap and extra-big bags of cotton balls, in addition to hand sanitizers and washcloths, it signals they could be getting close to their delivery date.

As Pole's computers crawled through the data, he was able to identify about 25 products that, when analyzed together, allowed him to assign each shopper a "pregnancy prediction" score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.

But, of course, Target then appears to have run into the "uncanny valley" problem of having just enough info to target ads... but doing so in a way that feels creepy:

"If we send someone a catalog and say, 'Congratulations on your first child!' and they've never told us they're pregnant, that's going to make some people uncomfortable," Pole told me. "We are very conservative about compliance with all privacy laws. But even if you're following the law, you can do things where people get queasy."

About a year after Pole created his pregnancy-prediction model, a man walked into a Target outside Minneapolis and demanded to see the manager. He was clutching coupons that had been sent to his daughter, and he was angry, according to an employee who participated in the conversation.

"My daughter got this in the mail!" he said. "She's still in high school, and you're sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?"

The manager didn't have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man's daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. "I had a talk with my daughter," he said. "It turns out there's been some activities in my house I haven't been completely aware of. She's due in August. I owe you an apology."

Target appears to have recognized just how creepy this appeared -- and once they discovered that the reporter was working on this story they cut off his access to the researcher and wouldn't talk to him at all, other than to make bland PR statements about "delivering outstanding value," and, later, to try to convince him not to publish his story.

However, there are indications that Target tried to cross the uncanny valley.... by making the extremely targeted advertising appear more "life like" by not being "too perfect." That is they still sent targeted ads, but mixed them in with unrelated ads, so people wouldn't realize how targeted they were:

"We have the capacity to send every customer an ad booklet, specifically designed for them, that says, 'Here's everything you bought last week and a coupon for it,' " one Target executive told me. "We do that for grocery products all the time." But for pregnant women, Target's goal was selling them baby items they didn't even know they needed yet.

"With the pregnancy products, though, we learned that some women react badly," the executive said. "Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random. We'd put an ad for a lawn mower next to diapers. We'd put a coupon for wineglasses next to infant clothes. That way, it looked like all the products were chosen by chance.

"And we found out that as long as a pregnant woman thinks she hasn't been spied on, she'll use the coupons. She just assumes that everyone else on her block got the same mailer for diapers and cribs. As long as we don't spook her, it works."

I'm sure that this disturbs some people, who may sense that there's "trickery" going on here, but I'm not sure that's the case. It seems like this actually creates something rather useful. After all, perfectly targeted ads actually provide useful information in that it's ads/deals/coupons targeted for exactly what we need, such that we'll actually save money on the key things we want. That's a benefit to consumers. But if it's done in a way that doesn't feel as creepy, then there aren't those lingering concerns of being tracked -- and that seems a more reasonable fear.

from the how-nice-of-them dept

We've described how some film studios are in a huge legal fight with Redbox over DVD rentals. While some studios have come to their senses and are happy to work with Redbox, others have been trying to pressure the company into giving it a cut of rental revenue and/or delaying when it rents newly-released movies. Those studios convinced the big distribution wholesalers to stop selling to Redbox (which seems like a pretty clear restraint of trade or antitrust issue), and in at least one case had convinced retailers not to sell to Redbox. Of course, there are ways around that as well, and we even suggested that Redbox could crowdsource its movie purchasing.

In fact, to get around the studio blocks, Redbox was apparently already purchasing 40% of its DVDs at retail locations like Target and Wal-Mart. But both retailers are now making that more difficult. They've put in place limits directly targeted at Redbox, saying they won't sell more than five DVDs at any one time to any buyer. Yes, here we have a customer willing to buy an awful lot of product -- at full retail price -- and these retailers won't let them? While they claim it's to make sure movies are available for other customers, given the earlier reports of studios specifically asking retailers to block Redbox from buying, it makes you wonder. What sort of company would tell willing customers they can't buy a product that is available and in stock?

Still, in the end I doubt those limits will be very effective. Redbox still could go with that crowdsourced concept, and get its subscribers to purchase five DVDs at a time in exchange for free rentals. Eventually, the industry is going to have to realize that fighting Redbox is a mistake.

from the gotta-feed-the-habit dept

Wow. Earlier this year we wrote about a bill, basically pushed for by big offline retailers, that would regulate online retailers. The big retailers made some bogus claims about an online "crimewave" that necessitated such legislation. Since that first bill was introduced in the house two other related bills have also been introduced, one in the House and one in the Senate. Earlier this week, hearings were held on the three bills, and the big retailers made the astounding claim that online auction sites need to be regulated because their "addictive qualities" lure perfectly innocent people into becoming shoplifters to feed their habit of selling online:

"Thieves often tell the same disturbing story: they begin legitimately selling product on eBay and then become hooked by its addictive qualities, the anonymity it provides and the ease with which they gain exposure to millions of customers. When they run out of legitimate merchandise, they begin to steal intermittently, many times for the first time in their life, so they can continue selling online. The thefts then begin to spiral out of control and before they know it they quit their jobs, are recruiting accomplices and are crossing states lines to steal, all so they can support and perpetuate their online selling habit."

Nevermind that the actual stats show that retail theft has been on the decline, while the majority of retail theft is actually due to insiders. Yes, the problem isn't with online retailers magically luring perfectly innocent individuals into lives of crime, but the big retailers own employees swiping stuff. Yet, when stores were questioned why they don't do more to prevent in-store theft themselves, a representative from Safeway claimed: "our associates are there to sell groceries, not to be police officers." However, even though the problem is with their own employees, who they don't want to turn into police officers, the retailers are asking Congress to, instead, turn all online retailers into police officers for them.

The combination of bills under consideration would give offline retailers the power to demand that online retailers interrogate sellers to find out if the goods they're offering for sale were stolen. They would also include a DMCA-like notice and takedown provision, allowing retailers to force auctions offline with a single letter and little proof. Yet, the notice-and-takedown is even worse than the DMCA's already dreadful system in that there's no provision to deal with any abuse -- meaning retailers could abuse the system sending false takedown notices and burdening online retailers over and over again, and there would be no punishment. On top of that, the bills would put liability on the retailers, directly contradicting the very point of section 230 of the CDA, which was designed to make sure liability went to the actually guilty party.

Basically, these three bills in combination are nothing more than a bogus effort by big traditional retailers to put a ridiculous liability and burden on online retailers to fix a problem that isn't as big as they make it out to be, and which they, themselves, have the most control over -- though they purposely choose not to do much to exercise that control. And, finally, these big retailers make up a totally bogus and unsubstantiated claim that online selling "addiction" is drawing a large group of folks into an unanticipated life of crime. Hopefully Congress sees through this blatant attempt by big traditional retailers to put a bunch of hurdles in front of online sellers.